$30 off During Our Annual Pro Sale. View Details »

NTC 2018: Securing Your Website with HTTPS

NTC 2018: Securing Your Website with HTTPS

Co-presented with Ben Byrne: https://www.slideshare.net/drywallbmb/presentations

There is a growing appetite for the ability to browse the web securely. Trends clearly show that the public’s tolerance for the non-secure-site-as-default is waning fast. Increasingly, sites that are not secure get called out publicly by users via social media channels; they cannot achieve higher search engine rankings, and they become vulnerable to security breaches and lawsuits.

If your organization is not serving its public-facing and internal sites over HTTPS, then you will want to come learn more about what HTTPS is, why your organization needs it, and how to make the case for this method of encryption back at the office.

Come learn about:

* The difference between HTTP and HTTPS
* The benefits and challenges of getting your site on HTTPS
* Free tools and services
* Tips and best practices when planning for and implementing HTTPS
* How to garner support for the switch inside your organization

This session will be designed for our non-technical colleagues. It will be delivered in plain language and there will be a generous amount of time left for questions and answers.

Learning Objectives

* Understand browser privacy and the current trend toward browser encryption, and differences between security and privacy
* Review the steps to switch to HTTPS, ways to mitigate risk, and the tools and services available to you
* Learn how to make a solid case for HTTPS inside your organization

Katherine White

April 12, 2018
Tweet

More Decks by Katherine White

Other Decks in Technology

Transcript

  1. SECURING YOUR WEBSITE WITH HTTPS WHAT IT IS AND WHY

    YOU NEED IT — NOW #18NTCHTTPS 04/12/2018 Ben Byrne, Cornershop Creative
 Katherine White, Kanopi Studios
  2. GETTING STARTED WHAT WE’LL DISCUSS ▸ What is HTTPS? ▸

    HTTPS Myths ▸ Security, Privacy, and the Public ▸ Why to update NOW ▸ Benefits and Challenges ▸ Steps to Implement HTTPS
  3. GETTING STARTED ABOUT US ▸ Ben Byrne ▸ Co-founder of

    Cornershop Creative ▸ Lives in Santa Rosa, CA ▸ Katherine White ▸ Director of Engineering at Kanopi Studios ▸ Lives in Austin, TX
  4. SECURE ONLINE COMMUNICATIONS HAPPEN WHEN AN SSL CERTIFICATE ISSUED BY

    A CERTIFICATE AUTHORITY ENABLES A SITE TO TRANSFER ENCRYPTED CONTENT OVER A SECURE PROTOCOL.
  5. WHAT IS HTTPS? “SSL” CERTIFICATES ▸ Digital certificate that authenticates

    the identity of a website ▸ It isn’t actually “SSL” any more, but the term 
 has stuck ▸ Contains information about the certificate holder and authority
  6. WHAT IS HTTPS? “SSL” CERTIFICATE TYPES ▸ Single Domain Certificates

    ▸ Multi-Domain Certificate (MDC) ▸ Wildcard Certificate ▸ CAs cannot issue all types at all levels
  7. WHAT IS HTTPS? “SSL” CERTIFICATE LEVELS ▸ Extended Validation (EV)

    Certificates ▸ Highest level of security ▸ Rigorous validation process by the CA ▸ Organization Validated (OV) Certificates ▸ Domain Validated (DV) Certificates ▸ The most common certificate level ▸ Ensures the domain is controlled by the certificate requestor
  8. WHAT IS HTTPS? WHAT IS A “CERTIFICATE AUTHORITY” (CA)? ▸

    Trusted third-party organization ▸ Certifies a website (and the organization behind it) is who it says it is ▸ “Trusted” is defined by web browsers and operating systems
  9. WHAT IS HTTPS? ENCRYPTION KEYS ▸ Symmetric vs Asymmetric ▸

    Private Key - encrypts content so it cannot be read in transit ▸ Public Key - decrypts content when it reaches its destination ▸ Public Key is available on your SSL Certificate ▸ Private Key exists only on the server
  10. WHAT IS HTTPS? THE “HANDSHAKE” ▸ Client says “hello” -

    tells the server what it can handle ▸ Server says “hello” back - tells the client what encryption details will be used ▸ Client checks out the server’s SSL Certificate ▸ Keys are exchanged ▸ Single symmetric key is established for the duration of the conversation
  11. WHAT IS HTTPS? ENCRYPTION ALGORITHMS ▸ This is not a

    technical talk! ▸ The way keys are encrypted for exchange ▸ RSA is the most common, and there are lots of RSA cipher suites ▸ Encryption is a giant study in acronyms (RSA, SHA, AES, DES…) ▸ Used to generate your private and public keys based on your certificate type Phew. openssl req -new -sha256 -key www.example.com.key -out www.example.com.csr
  12. WHAT IS HTTPS? WHAT ARE SSL AND TLS? ▸ Protocols

    are a set of rules ▸ Defines the steps taken during the “handshake” process ▸ Steps are focused on ensuring the communication is secure ▸ SSL: Secure Sockets Layer - older, now prohibited ▸ TLS: Transport Layer Security - the modern standard ▸ People still use the terms interchangeably
  13. WHAT IS HTTPS? USING HTTP STRICT TRANSPORT SECURITY (HSTS) ▸

    Forces a browser to ONLY use HTTPS to interact with the site ▸ Security policy that mitigates some kinds of attacks ▸ Sent by the server ▸ Recommended for the most secure implementation ▸ Comes after getting your certificate set up
  14. SECURE ONLINE COMMUNICATIONS HAPPEN WHEN AN SSL CERTIFICATE ISSUED BY

    A CERTIFICATE AUTHORITY ENABLES A SITE TO TRANSFER ENCRYPTED CONTENT OVER A SECURE PROTOCOL.
  15. A MAJORITY OF AMERICANS (64%) HAVE PERSONALLY EXPERIENCED A MAJOR

    DATA BREACH. Pew Research Center, 2017 WHY IT MATTERS
  16. ROUGHLY HALF OF AMERICANS (49%) FEEL THAT THEIR PERSONAL INFORMATION

    IS LESS SECURE THAN IT WAS FIVE YEARS AGO. Pew Research Center, 2017 WHY IT MATTERS
  17. AMERICANS CONSISTENTLY LACK CONFIDENCE IN THE SECURITY OF EVERYDAY COMMUNICATION

    CHANNELS AND THE ORGANIZATIONS THAT CONTROL THEM – PARTICULARLY WHEN IT COMES TO THE USE OF ONLINE TOOLS. Pew Research Center, 2016
  18. WHY IT MATTERS SOCIAL MEDIA ▸ Users are increasingly calling

    out organizations that do not have secure sites ▸ Especially applies to logins and financial transactions ▸ Will only increase with Chrome move in July (55% of browser use)
  19. STEP 1: IDENTIFY YOUR DOMAINS TIPS ▸ Determine your strategy

    for managing subdomains, especially if you have a large network of sites ▸ If it is only a few subdomains, it’s straightforward to add them to a single Multi-Domain Certificate (MDC) ▸ Let’s Encrypt now supports wildcard certificates
  20. STEP 2: FIND A CERTIFICATE PROVIDER TIPS ▸ Determine the

    level and type of certificate(s) needed by your organization ▸ See what relationships your hosting provider may already have ▸ Let’s Encrypt offers free Domain Validated certificates for sites
  21. STEP 2: FIND A CERTIFICATE PROVIDER TOOLS ▸ Let’s Encrypt

    - https://letsencrypt.org/ ▸ CloudFlare - https://www.cloudflare.com/ssl/ ▸ Comodo - https://www.comodo.com/ ▸ GlobalSign - https://www.globalsign.com/ ▸ …and many others
  22. STEP 3: GET & INSTALL CERTIFICATE(S) TIPS ▸ Check with

    your hosting provider — many have built-in support TOOLS ▸ Certbot (uses Let’s Encrypt) https://certbot.eff.org/ ▸ https://www.eff.org/https-everywhere/deploying-https
  23. STEP 4: UPDATE URLS ASSET CHECKLIST ▸ Fonts ▸ Images

    ▸ Scripts & Stylesheets ▸ Social media ▸ Embedded media (audio, video) ▸ Iframes ▸ Tracking scripts like CRM and analytics tools
  24. STEP 4: UPDATE URLS TIPS ▸ Think about links between

    your site content as well as links to your assets ▸ Ensure all form submissions, including those embedded from third-party tools, are using HTTPS ▸ Assets served from a CDN must also be secured, if applicable ▸ Tools included by your third party tools affect you, too
  25. STEP 5: VERIFY HTTPS WORKS TIPS ▸ Validate your configuration

    after you deploy your certificate to make sure everything is set up correctly ▸ Run another content scan (see the Step 5 tools) to be sure all URLs have been converted ▸ Don’t require HTTPS (Step 6) until everything works the way you want it to
  26. STEP 5: VERIFY HTTPS WORKS TOOLS ▸ SSL Labs -

    https://www.ssllabs.com/ ▸ DigiCert configuration check - https://www.digicert.com/help/ ▸ Comodo SSL analyzer - https://sslanalyzer.comodoca.com/ ▸ Chrome Lighthouse - https://developers.google.com/web/tools/ lighthouse/
  27. STEP 6: FORCE HTTPS TIPS ▸ Your web host should

    provide platform-specific documentation ▸ Some have an automated implementation ▸ Usually managed at the web server level ▸ Now’s a good time to update Google Webmaster Tools/Search Console
  28. STEP 7: IMPLEMENT HSTS TIPS ▸ Start with a short

    time-to-live (TTL) of 5 minutes; increase this in stages (one week and one month) ▸ Once your testing is complete, consider HSTS Preloading ▸ Adds you to a global list of hosts who enforce HSTS that is built in to a browser ▸ Reduces any vulnerability that comes with the first request to a site ▸ Requires that all your subdomains use HTTPS ▸ Submit a preload request (and read the requirements):
 https://hstspreload.org/
  29. WRAP UP THANK YOU! ▸ Provide your feedback: http://po.st/FTOiLr Ben

    Byrne Founder & Chief Creative Officer
 Cornershop Creative
 [email protected] 
 @drywall Katherine White
 Director of Engineering
 Kanopi Studios
 [email protected] 
 @katherinemwhite
  30. FOOD FOR THOUGHT YOUR PERSPECTIVE ▸ What is your biggest

    concern with moving to HTTPS? ▸ What horror stories have you heard, or lived through? ▸ Are there ways you feel HTTPS will impact your site that we haven’t talked about?